The present application relates generally to an improved data processing apparatus and method and more specifically to mechanisms for identifying code vulnerabilities in source code and amalgamating instances of vulnerabilities across projects, as well as identifying individuals responsible for the instances and notifying them of the security vulnerabilities and potential solutions.
Many organizations use software applications to run critical business processes, conduct transactions with suppliers and deliver sophisticated services to customers. While organizations depend on such applications to run their businesses, many invest little to no effort ensuring that they are adequately secure. While these organizations understand established security technologies for routine tasks such as networking and operations, and for managing security procedures such as access control and authentication, many struggle with implementing, managing and maintaining effective application security programs. However, in today's increasingly sophisticated threat landscape, the bar must be raised.
Since applications can compromise overall security across the entire organization, securing them needs to become a top priority. Security vulnerabilities inadvertently introduced during application development can give hackers the ability to destabilize applications and obtain unfettered access to confidential information/data. This type of data loss can lead to a damaged brand reputation, loss of consumer confidence, disruption of business operations, interruption of the supply chain, threat of legal action and/or regulatory censure, etc.
Addressing application security can be quite challenging, especially for large organizations that manage thousands of applications. The task of ensuring application security typically falls on the shoulders of a small, overburdened security team.
Various mechanisms are generally known for identifying code vulnerabilities in source code. For example, U.S. Pat. No. 7,392,545, entitled “Systems and Methods for Detecting Software Security Vulnerabilities,” describes a program scanner coupled to an analysis engine, where the program scanner is configured to identify vulnerability patterns in a software program and output an initial potential vulnerability list. The analysis engine is configured to apply rules to the initial potential vulnerability list to determine whether the potential vulnerabilities are in fact actual vulnerabilities or not.
Another mechanism, as described in U.S. Patent Application Publication No. 2011/0173693, entitled “Assessment and Analysis of Software Security Flaws,” describes a security analysis and vulnerability testing mechanisms where the results are packaged and bound to the actual software. By linking the results to the software itself, downstream users of the software can access information about the software and make informed decisions about implementation of the software. Moreover, users may analyze the security risk across an entire system by accessing all of the reports associated with the executables running on the system and summarizing the risks identified in the reports. While this document describes an ability to summarize risks across an entire system, this is done by either performing separate scans of applications independently, or by using a benchmarking approach that generates security scores for applications independently, and providing an ability to generate a report of applications that match a specified application profile.
In general, security vulnerability analysis is limited to individual evaluation of applications and their specific security vulnerabilities.